11. Set the Server List field to a comma-separated list of RADIUS servers.

11. Set the Server List field to a comma-separated list of RADIUS servers.

-

12. Set the Deadtime field to configure the time that the switch waits before retesting a dead server. and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

+

12. Set the Deadtime field to configure the time that the switch waits before retesting a dead server and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

2. Use the<span style="font-style: normal">'''<font color="Black"> radius-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip address</font>''</span><span style="font-style: normal">'''<font color="Black"> test idle-time</font>'''</span> command to configure the time that the switch waits for a RADIUS server to be idle before sending a test message to see if the server is still alive.

-

<div class="pEx1_Example1">

+

3. Use the<span style="font-style: normal">'''<font color="Black"> radius-server deadtime</font>'''</span> command to configure the time that the switch waits before retesting a dead server.

'''StepÂ 2 '''[[Image:blank.gif]]Use the<span style="font-style: normal">'''<font color="Black"> radius-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip address</font>''</span><span style="font-style: normal">'''<font color="Black"> test idle-time</font>'''</span> command to configure the time that the switch waits for a RADIUS server to be idle before sending a test message to see if the server is still alive.

+

-

+

-

'''StepÂ 3 '''[[Image:blank.gif]]Use the<span style="font-style: normal">'''<font color="Black"> radius-server deadtime</font>'''</span> command to configure the time that the switch waits before retesting a dead server.

+

-

+

-

'''StepÂ 4 '''[[Image:blank.gif]]Use the <span style="font-style: normal">'''<font color="Black">radius commit </font>'''</span>command to commit any changes and distribute to all switches in the fabric.

'''StepÂ 10 '''[[Image:blank.gif]]Check the list of switches that you want to configure server groups on.

+

10. Check the list of switches that you want to configure server groups on.

-

'''StepÂ 11 '''[[Image:blank.gif]]Set the Server List field to a comma-separated list of TACACS servers.

+

11. Set the Server List field to a comma-separated list of TACACS servers.

-

'''StepÂ 12 '''[[Image:blank.gif]]Set the Deadtime field to configure the time that the switch waits before retesting a dead server. and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

+

12. Set the Deadtime field to configure the time that the switch waits before retesting a dead server. and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

'''StepÂ 2 '''[[Image:blank.gif]]Use the<span style="font-style: normal">'''<font color="Black"> tacacs-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip address</font>''</span><span style="font-style: normal">'''<font color="Black"> test idle-time</font>'''</span> command to configure the time that the switch waits for a TACACS server to be idle before sending a test message to see if the server is still alive.

+

2. Use the<span style="font-style: normal">'''<font color="Black"> tacacs-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip address</font>''</span><span style="font-style: normal">'''<font color="Black"> test idle-time</font>'''</span> command to configure the time that the switch waits for a TACACS server to be idle before sending a test message to see if the server is still alive.

-

'''StepÂ 3 '''[[Image:blank.gif]]Use the<span style="font-style: normal">'''<font color="Black"> tacacs-server deadtime</font>'''</span> command to configure the time that the switch waits before retesting a dead server.

+

3. Use the<span style="font-style: normal">'''<font color="Black"> tacacs-server deadtime</font>'''</span> command to configure the time that the switch waits before retesting a dead server.

-

'''StepÂ 4 '''[[Image:blank.gif]]Use the <span style="font-style: normal">'''<font color="Black">tacacs commit </font>'''</span>command to commit any changes and distribute to all switches in the fabric.

+

4. Use the <span style="font-style: normal">'''<font color="Black">tacacs commit </font>'''</span>command to commit any changes and distribute to all switches in the fabric.

'''StepÂ 2 '''[[Image:blank.gif]]Check the list of switches that you want to configure server groups on.

+

2. Check the list of switches that you want to configure server groups on.

-

'''StepÂ 3 '''[[Image:blank.gif]]Set the Server List field to a comma-separated list of RADIUS servers.

+

3. Set the Server List field to a comma-separated list of RADIUS servers.

-

'''StepÂ 4 '''[[Image:blank.gif]]Set the Deadtime field to configure the time that the switch waits before retesting a dead server. and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

+

4. Set the Deadtime field to configure the time that the switch waits before retesting a dead server and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

'''StepÂ 2 '''[[Image:blank.gif]]Check the list of switches that you want to configure server groups on.

+

2. Check the list of switches that you want to configure server groups on.

-

'''StepÂ 3 '''[[Image:blank.gif]]Set the Server List field to a comma-separated list of TACACS servers.

+

3. Set the Server List field to a comma-separated list of TACACS servers.

-

'''StepÂ 4 '''[[Image:blank.gif]]Set the Deadtime field to configure the time that the switch waits before retesting a dead server. and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

+

4. Set the Deadtime field to configure the time that the switch waits before retesting a dead server and click <span style="font-style: normal">'''<font color="Black">Apply</font>'''</span> to save these changes.

'''StepÂ 3 '''[[Image:blank.gif]]View the Cisco IOS/PIX RADIUS Attributes setting for a user. Verify that the user is assigned the correct roles in the AV-pairs. For example, shell:roles="network-admin".

+

3. View the Cisco IOS/PIX RADIUS Attributes setting for a user. Verify that the user is assigned the correct roles in the AV-pairs. For example, shell:roles="network-admin".

-

<div class="Note2">[[Image:note.gif]]</div>

----

----

-

+

{{Note |The Cisco IOS/PIX RADIUS Attributes field is case-sensitive. Verify that the role listed in the AV-pair exists on the Cisco SAN-OS switch.}}

-

'''Note '''[[Image:blank.gif]]The Cisco IOS/PIX RADIUS Attributes field is case-sensitive. Verify that the role listed in the AV-pair exists on the Cisco SAN-OS switch.

+

-

+

----

----

-

'''StepÂ 4 '''[[Image:blank.gif]]If the Cisco IOS/PIX RADIUS Attributes field is not present, follow these steps:

+

4. If the Cisco IOS/PIX RADIUS Attributes field is not present, follow these steps:

'''StepÂ 7 '''[[Image:blank.gif]]On the Cisco SAN-OS switch, use the <span style="font-style: normal">'''<font color="Black">show radius-server</font>'''</span> command to verify that the RADIUS server timeout value is set to 5 seconds or greater.

+

7. On the Cisco SAN-OS switch, use the <span style="font-style: normal">'''<font color="Black">show radius-server</font>'''</span> command to verify that the RADIUS server timeout value is set to 5 seconds or greater.

----

----

-

Refer to the <span style="font-weight: normal">''<font color="Black">User guide for Cisco Secure ACS</font>''</span> at the following website for more information:

+

Refer to the <span style="font-weight: normal">''<font color="Black">User Guide for Cisco Secure ACS</font>''</span> at the following website for more information:

Troubleshooting RADIUS and TACACS

The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use the Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS ) protocols to provide solutions using remote AAA servers.

This section includes the following sections:

AAA Overview

Initial Troubleshooting Checklist

AAA Issues

Troubleshooting RADIUS and TACACS+ With Cisco ACS

AAA Overview

Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using AAA server(s). A preshared secret key provides security for communication between the switch and AAA servers. This secret key can be configured as a global key for all AAA servers or on a per AAA server basis. This security mechanism provides a central management capability for AAA servers.

Common Troubleshooting Commands in the CLI

Use the following debug commands to determine the root cause of an issue:

debug radius aaa-request

debug radius aaa-request-lowlevel

debug tacacs aaa-request and

debug tacacs aaa-request-lowlevel

AAA Issues

This section describes common AAA issues and includes the following topics:

Switch Does Not Communicate with AAA Server

User Authentication Fails

User Is Not in Any Configured Role

User Cannot Access Certain Features

Switch Does Not Communicate with AAA Server

Multiple misconfigurations can result in an AAA server that the Cisco SAN-OS switch does not communicate with.

Symptom Switch does not communicate with AAA server.

Table 17-1 Switch Does Not Communicate with AAA Server

Symptom

Possible Cause

Solution

Switch does not communicate with AAA server.

Incorrect authentication or accounting port configured.

Reconfigure the authentication or accounting ports to match those configured on the AAA server.

For RADIUS servers, see the "Verifying RADIUS Configuration Using Fabric Manager" section or the "Verifying RADIUS Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Configuration Using Fabric Manager" section or the "Verifying TACACS Configuration Using the CLI" section.

Incorrect preshared key configured.

Reconfigure the same preshared key on the switch and the AAA server.

For RADIUS servers, see the "Verifying RADIUS Configuration Using Fabric Manager" section or the "Verifying RADIUS Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Configuration Using Fabric Manager" section or the "Verifying TACACS Configuration Using the CLI" section.

AAA server monitor deadtime set to high.

Set the deadtime lower to bring AAA servers active more quickly.

For RADIUS servers, see the "Verifying RADIUS Server Monitor Configuration Using Fabric Manager" section or the "Verifying RADIUS Server Monitor Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Server Monitor Configuration Using Fabric Manager" section or the "Verifying TACACS Server Monitor Configuration Using the CLI" section.

Timeout value too low.

Change server timeout value to ten seconds or higher.

For RADIUS servers, see the "Verifying RADIUS Server Monitor Configuration Using Fabric Manager" section or the "Verifying RADIUS Server Monitor Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Server Monitor Configuration Using Fabric Manager" section or the "Verifying TACACS Server Monitor Configuration Using the CLI" section.

Verifying RADIUS Configuration Using Fabric Manager

To verify or change the RADIUS configuration using Fabric Manager, follow these steps:

1. Choose Switches > Security > AAA > RADIUS and select the Servers tab. You see the RADIUS configuration in the Information pane.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new RADIUS server.

4. Set the KeyType and Key fields to the preshared key configured on the RADIUS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the RADIUS server.

6. Set the TimeOut value and click Apply to save these changes.

7. Click the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

Verifying RADIUS Configuration Using the CLI

To verify or change the RADIUS configuration using the CLI, follow these steps:

1. Use the showradius-server command to display configured RADIUS parameters.

switch# show radius-server
Global RADIUS shared secret:*******
retransmission count:5
timeout value:10
following RADIUS servers are configured:
myradius.cisco.users.com:
available for authentication on port:1812
available for accounting on port:1813
10.1.1.1:
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:******
10.2.2.3:
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:******

2. Use the radius-server host ip-address key command toset the preshared key to match what is configured on your RADIUS server.

3. Use the radius-server host ip-address auth-port command toset the authentication port to match what is configured on your RADIUS server.

4. Use the radius-server host ip-address acc-port command toset the accounting port to match what is configured on your RADIUS server.

5. Use the radius-server timeout command toset theperiod in seconds for the switch to wait for a response from all RADIUS servers before the switch declares a timeout failure.

6. Use the radius commit command to commit any changes and distribute to all switches in the fabric.

Verifying TACACS Configuration Using Fabric Manager

To verify or change the TACACS configuration using Fabric Manager, follow these steps:

1. Choose Switches > Security > AAA > TACACS and click the Servers tab. You see the TACACS configuration in the Information panel.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new TACACS server.

4. Set the KeyType and Key fields to the preshared key configured on the TACACS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the TACACS server.

6. Set the TimeOut value and click Apply to save these changes.

7. Click the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

Verifying TACACS Configuration Using the CLI

To verify or change the TACACS configuration using the CLI, follow these steps:

1. Use the showtacacs-server command to display configured TACACS parameters.

switch# show tacacs-server
Global TACACS+ shared secret:***********
timeout value:30
total number of servers:3
following TACACS+ servers are configured:
11.5.4.3:
available on port:2
cisco.com:
available on port:49
11.6.5.4:
available on port:49
TACACS+ shared secret:*****

2. Use the tacacs-server host ip-address key command toset the preshared key to match what is configured on your TACACS server.

3. Use the tacacs-server host ip-address port command toset the communications port to match what is configured on your TACACS server.

4. Use the tacacs-server timeout command toset theperiod in seconds for the switch to wait for a response from all TACACS servers before the switch declares a timeout failure.

5. Use the tacacs commit command to commit any changes and distribute to all switches in the fabric.

Verifying RADIUS Server Monitor Configuration Using Fabric Manager

To verify or change the RADIUS server monitor configuration using Fabric Manager, follow these steps:

1. Choose Switches > Security > AAA > RADIUS and click the Servers tab. You see the RADIUS configuration in the Information panel.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new RADIUS server.

4. Set the KeyType and Key fields to the preshared key configured on the RADIUS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the RADIUS server.

6. Set the Idle Time to configure the time that the switch waits for a RADIUS server to be idle before sending a test message to see if the server is still alive.

7. Set the TimeOut value and click Apply to save these changes.

8. Click the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

2. Use the radius-server host ip address test idle-time command to configure the time that the switch waits for a RADIUS server to be idle before sending a test message to see if the server is still alive.

3. Use the radius-server deadtime command to configure the time that the switch waits before retesting a dead server.

4. Use the radius commit command to commit any changes and distribute to all switches in the fabric.

Verifying TACACS Server Monitor Configuration Using Fabric Manager

To verify or change the TACACS server monitor configuration using Fabric Manager, follow these steps:

1. Choose Switches > Security > AAA > TACACS and click the Servers tab. You see the TACACS configuration in the Information panel.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new TACACS server.

4. Set the KeyType and Key fields to the preshared key configured on the TACACS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the TACACS server.

6. Set the Idle Time field to configure the time that the switch waits for a TACACS server to be idle before sending a test message to see if the server is still alive.

7. Set the TimeOut value and click Apply to save these changes.

8. Click the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

2. Use the tacacs-server host ip address test idle-time command to configure the time that the switch waits for a TACACS server to be idle before sending a test message to see if the server is still alive.

3. Use the tacacs-server deadtime command to configure the time that the switch waits before retesting a dead server.

4. Use the tacacs commit command to commit any changes and distribute to all switches in the fabric.

User Authentication Fails

Symptom User authentication fails.

Table 17-2 User Authentication Fails

Symptom

Possible Cause

Solution

User authentication fails.

Incorrect AAA method configured.

Verify that the AAA method configured lists the appropriate RADIUS or TACACs server-group as the first one.

For RADIUS servers, see the "Verifying RADIUS Configuration Using Fabric Manager" section or the "Verifying RADIUS Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Configuration Using Fabric Manager" section or the "Verifying TACACS Configuration Using the CLI" section.